Erm, you should never see the mouse moving with RDP. They'd be logged in on a different session, or you'd get logged out. Only remote video based remote desktop services like VNC or GoToMyPC would allow such behaviour. If you see the mouse moving and you don't have such services, someone's probably installed a Remote Access Trojan (RAT) on your box. Pull the network cable immediately.
–
PolynomialSep 10 '12 at 19:39

1

@Polynomial: I think the mouse-moving thing is possible with RDP when used in "shared mode" -- the mode which is meant for sysadmins to rescue stranded users.
–
Thomas PorninSep 10 '12 at 19:45

1

@ThomasPornin If it were the case, Remote Assistance requires user interaction. On XP, it watermarks the desktop and displays a control box at the top of the screen. On Vista/7, the Remote Assist launch box requires elevation via the secure desktop, and shows a similar control box. I doubt an attacker gained access in such a manner without OP giving permission.
–
PolynomialSep 10 '12 at 19:49

1

Are you actually seeing activity on that port (i.e.: via network traffic monitoring tools) or are you just seeing the mouse moving, and presuming this to be the cause? If the latter, have you physically checked the machine to be sure no unauthorized peripherals (i.e.: someone else's wireless mouse) have been attached?
–
IsziSep 10 '12 at 20:16

2

You don't "detect activity on port 3389" with mouse movements. You do it with monitoring tools. Do you have any related output of those or do you automagically assume "mouse movement = scary cracker on RDP"?
–
Oleg V. VolkovSep 11 '12 at 14:27

2 Answers
2

Option 1 involves physically unplugging the machine from the network, then treating it as hostile. It's been infected, therefore it's no longer your computer. Grab whatever files you need from it via a live CD, and wipe the drive. Make sure to run an up-to-date AV over the files you copy, just in case they've been infected with anything. This especially includes documents (.doc, .pdf, etc), as well as scripts and executables, as they're a common target these days.

Option 2 involves potentially losing data, and giving the attacker time to do nasty things with your computer / network. Grab a bunch of tools (Wireshark / Process Explorer) and work out what the hell is going on.

Some tips:

Store the Wireshark .pcap dump on a removable drive for later analysis.

Run netstat -an to get a full list of active TCP connections / listeners.

Launch Process Explorer, save the process list to a file, then dig around in anything that looks unusual.

Do a memory dump of potentially infected / malicious processes using ProcDump, with the following command: procdump -mp <pID> Save the dumps somewhere safe.

Shut down the machine, load it into a live CD, then manually analyse the registry and file system using forensics tools.

I highly recommend option 1 for safety, but the second option will provide you with a better idea of who the attacker is and what they're up to.

The first thing you should do is physically disconnect the computer from the network. You might think simply "pulling the plug" would be better from the security point of view and you'd be right. However, by pulling the plug you lose valuable forensic data. You should then notify the person responsible for IT Security of your computer. If that person is you, then you should start a forensics investigation to find out how this happened, why and how to prevent it from happening in the future. Comment if you'd like to know more.